CWE vs CVE in terms of their usage

Question

What is difference between CWE (Common Weakness Enumeration) and CVE (Common Vulnerabilities and Exposures)? What is difference in terms of their usage?

Answer 1

A CVE (Common Vulnerabilities and Exposure) is generally composed by :

• An ID (eg : CVE-2020-1403) ;
• A description of the vulnerability ;
• A CVSS score (I will talk about it after) ;
• A CWE (the kind / family of vulnerability) ;
• A list of CPE (The impacted products by the CVE) ;

With a CVE we can know the basic informations about a vulnerability, we can also evaluate the criticity with the CVSS score. The CVSS score are calculated with some vectors and the score between 0 and 10 give the criticity. There is a temporal score for CVSS. This score gives a criticality as a function of time. For exemple if today there ain't patch for a vulnerability the temporal score will be high. But if tomorrow a patch is provided, the temporal score will decrease.

The CWE is the kind of vulnerability. Theoretically all vulnerability can be qualifieted by a CWE. for exemple if the vulnerability causality is a XSS (cross site scripting) the CWE defining it will be "CWE-79". It's possible to find all these CWE and their description here : https://cwe.mitre.org/index.html

Answer 2

CVE: vulnerabilities in particular software packages. eg CVE-2013-3527: SQL injection in Vanilla Forums

CWE: classes of weaknesses that can lead to a vulnerability. eg CWE-89: SQL injection